node-forge
Advanced tools
Changelog
1.3.1 - 2022-03-29
DigestAlgorithm
NULL
parameters
for sha*
algorithms and require NULL
paramters for md2
and md5
algorithms.Changelog
1.3.0 - 2022-03-17
digestAlgorithm
structure can lead to
signature forgery.
DigestInfo
ASN.1 structure. This can allow padding bytes to be removed
and garbage data added to forge a signature when a low public exponent is
being used. For more information, please see "Bleichenbacher's RSA
signature forgery based on implementation
error"
by Hal Finney.DigestInfo
is not properly checked for proper ASN.1 structure. This can
lead to successful verification with signatures that contain invalid
structures but a valid digest.fromDer
is now more strict and will default to ensuring all input
bytes are parsed or throw an error. A new option parseAllBytes
can disable
this behavior.
RSASSA-PKCS-v1_5
DigestInfo
data. Additionally check that the hash
algorithm identifier is a known value from RFC 8017
PKCS1-v1-5DigestAlgorithms
. An invalid DigestInfo
or algorithm identifier
will now throw an error.
1.2.840.113549.2.2
/ md2
2.16.840.1.101.3.4.2.4
/ sha224
2.16.840.1.101.3.4.2.5
/ sha512-224
2.16.840.1.101.3.4.2.6
/ sha512-256
Changelog
1.2.1 - 2022-01-11
URLSearchParams
.Changelog
1.2.0 - 2022-01-07
1.3.14.3.2.29 / sha1WithRSASignature
for sha1 with
RSA. Considered a deprecated equivalent to 1.2.840.113549.1.1.5 / sha1WithRSAEncryption
. See discussion and
links.Changelog
1.1.0 - 2022-01-06
Changelog
1.0.0 - 2022-01-04
forge.debug
API. The API has the
potential for prototype pollution. This API was only briefly used by the
maintainers for internal project debug purposes and was never intended to be
used with untrusted user inputs. This API was not documented or advertised
and is being removed rather than fixed.forge.util.parseUrl()
(and
forge.http.parseUrl
alias) and use the WHATWG URL
Standard. URL
is supported by modern browers
and modern Node.js. This change is needed to address URL parsing security
issues. If forge.util.parseUrl()
is used directly or through forge.xhr
or
forge.http
APIs, and support is needed for environments without URL
support, then a polyfill must be used.forge.task
API. This API was never used, documented,
or advertised by the maintainers. If anyone was using this API and wishes to
continue development it in other project, please let the maintainers know.
Due to use in the test suite, a modified version is located in
tests/support/
.forge.util.makeLink
, forge.util.makeRequest
,
forge.util.parseFragment
, forge.util.getQueryVariables
. Replace with
URL
, URLSearchParams
, and custom code as needed.master
branch to main
.v
. Other tools, scripts, or scanners may need to adapt.surname
, title
, and givenName
.serialName
to serialNumber
.
Depending on how applications used this id to name association it could cause
compatibility issues.Changelog
0.10.0 - 2020-09-01
util.getPath
, util.setPath
, and util.deletePath
.
util.setPath
had a potential prototype pollution security issue when used
with unsafe inputs. These functions are not used by forge
itself. They date
from an early time when forge
was targeted at providing general helper
functions. The library direction changed to be more focused on cryptography.
Many other excellent libraries are more suitable for general utilities. If
you need a replacement for these functions, consider get
, set
, and unset
from lodash. But also consider the potential similar
security issues with those APIs.Changelog
0.9.2 - 2020-09-01
util.setPath
security note to function docs and to README.util.setPath
function has the potential to cause
prototype pollution if used with unsafe input.
forge
.util.getPath
and util.setPath
.
Consider get
and set
from lodash if you need
replacements. But also consider the potential similar security issues with
those APIs.